The UK Prudential Regulation Authority (PRA) published a policy statement (PS7/21) and a supervisory statement (SS2/21) on clarifying and modernizing regulatory expectations of outsourcing and third-party risk management on March 29. The expectations in PS7/21 and SS2/21 are relevant to banks, PRA-designated investment firms, insurers, and branches of overseas banks and insurers and apply not just to “outsourcing” but also non-outsourcing material or high-risk service arrangements. The expectations apply at a legal entity level rather than at a group level (save for expectations on intragroup arrangements).
The PRA’s expectations of third-party risk management should be read in conjunction with the proposed operational resilience framework.
In line with the timing of the PRA’s requirements and expectations on operational resilience, outsourcing arrangements entered into on or after March 31, 2021, should meet the expectations in SS2/21 by March 31, 2022. Firms should seek to review and update legacy outsourcing agreements entered into before March 31, 2021, at the first appropriate contractual renewal or revision point.
Helpfully, the PRA states that, due to the disruption and reprioritization caused by the COVID-19 pandemic and changes to the UK, EU, and global regulatory landscape, it no longer considers it proportionate for firms to make every effort to comply with the indicative timeline and process for reviewing their critical or important legacy outsourcing arrangements by December 31, 2021, as was stated in the European Banking Authority’s (EBA’s) guidelines on outsourcing arrangements.
The PRA states in PS7/21 that it received general support for the proposals in its consultation paper of December 2019 (CP30/19) and responses focused on specific areas for which the PRA has made targeted revisions to its final policy:
- Definitions and Scope: SS2/21 does not include the presumption from CP30/19 that arrangements performed or provided in a “prudential context” as defined in the PRA Rulebook will fall within the definition of “outsourcing.” Instead, firms should assess the materiality and risks of all third-party arrangements. Firms should implement risk-based controls for non-outsourcing third-party arrangements deemed to be material or high risk, although these controls do not have to be the same as those that apply to outsourcing arrangements. SS2/21 specifies examples of non-outsourcing third-party arrangements to include the design and build of an on-premise IT platform, the purchase of data collated by a third party, and the purchase of “off the shelf” machine learning models. In the case of insurers, the use of aggregators (e.g., pricing comparison platforms) and delegated underwriting will be considered as non-outsourcing. The PRA states that whether an arrangement is a one-off (e.g., software licenses) or recurrent (e.g., SaaS) service will be a factor for determining whether an arrangement constitutes outsourcing. Cloud arrangements should not automatically be considered outsourcing, although the PRA’s primary focus will be on whether the arrangement is material or high risk even if not an “outsourcing” under the PRA Rulebook. Finally, SS2/21 retains the definition of “material” from the PRA Rulebook but clarifies that materiality should be read as incorporating the concept of a “critical or important operational function” in relevant retained EU legislation, such as Solvency II.
- Proportionality: SS2/21 includes additional examples from CP30/19 of how a firm may comply proportionately with expectations of intragroup outsourcing arrangements, such as by relying on a centralized group process for overseeing external third-party service providers and relying on adequate business continuity, contingency, and exit plans developed at the group level. “Proportionality”, which focuses on the characteristics of a firm such as its size, internal organization, complexity of activities, and systemic significance, is separate but complementary to the “materiality” assessment of the potential impact of a given outsourcing or third-party arrangement on a firm’s safety and soundness.
- Governance and Recordkeeping: The PRA has announced a follow-up consultation on proposals for an online portal through which firms would submit information on their outsourcing and third-party arrangements in order to identify, monitor, and manage systemic concentration risk. In the meantime, firms should keep appropriate records of their outsourcing arrangements, which for banks includes a register of outsourcing arrangements in line with the EBA’s guidelines. Notable expectations that remain from CP30/19 include board engagement on outsourcing, meeting threshold conditions to avoid firms becoming “empty shells,” the application of the Senior Managers and Certification Regime to outsourcing, and certain contents of a firm’s outsourcing policy.
- Pre-outsourcing: SS2/21 clarifies that outsourcing a service within the scope of operational continuity in resolution requirements will generally constitute “material outsourcing,” along with arrangements involving confidential, personal, or sensitive data or with potential high reputational risk. SS2/21 states that in some circumstances it may be appropriate for firms to notify the PRA of a planned material arrangement before a final service provider has been selected.
- Outsourcing Agreements: CP30/19 specified various provisions that the PRA expects firms to include in outsourcing agreements, implementing the EBA’s outsourcing guidelines. SS2/21 includes an additional expectation for a firm to make the PRA aware if any third-party service provider in a material outsourcing or other third-party arrangement is unable or unwilling to include certain terms within the contract that reflect the firm’s obligations under the regime. SS2/21 also specifies contractual termination rights that firms may elect to include in their contracts, such as for material breaches of law, situations that create risks beyond their tolerance, or situations that are not adequately notified and remediated in a timely manner.
- Data Security: SS2/21 has been revised since CP30/19 to take into account the EBA’s subsequent ICT guidelines and feedback from respondents, including as to security controls, data location, and data classification. The PRA has clarified that SS2/21 should not be interpreted as explicitly or implicitly favoring or imposing restrictive data localization requirements, although firms should adopt a risk-based approach to the location of data.
- Access, Audit, and Information Rights: SS2/21 includes guidance additional to CP30/19 that where an onsite audit could create an unmanageable risk for the provider and/or other clients, the firm and service provider should agree on alternative ways to provide an equivalent level of assurance while not removing the contractual rights for an onsite audit. For material outsourcings, the firm should inform the PRA of such alternatives.
- Sub-outsourcing: SS2/21’s expectations have been clarified from CP30/19 to only apply to “material” sub-outsourcings. A firm’s primary responsibility is to ensure that third-party service providers appropriately manage any material sub-outsourcing, and the PRA will not expect firms to directly monitor fourth parties in all circumstances. As to contractual provisions, SS2/21 reflects those provisions contained in CP30/19 and includes additional examples of termination right triggers in respect of material sub-outsourcings.
- Business Continuity and Exit Plans: SS2/21 states that before a contractual agreement becomes effective, firms should evaluate what would be involved in delivering an effective stressed exit and use this to formulate their exit plan. For cloud arrangements, the PRA clarifies that there is no hierarchy or one-size-fits-all combination of cloud resiliency options.
Interaction with EBA, EIOPA, and ESMA Guidelines
The PRA states that SS2/21 should be the primary source of reference for UK firms when interpreting and complying with PRA requirements on outsourcing and third-party risk management. SS2/21 implements the EBA’s guidelines on outsourcing arrangements and parts of the EBA’s guidelines on ICT and security risk management.
SS2/21 does not implement the European Insurance and Occupational Pensions Authority (EIOPA) guidelines on outsourcing to cloud service providers and guidelines on information and communication technology security and governance (which we note the UK Financial Conduct Authority confirmed it would not enforce), or the European Securities and Markets Association (ESMA) guidelines on outsourcing to cloud service providers, which each came into force after December 31, 2020 (i.e., the end of the Brexit implementation period). EIOPA’s and ESMA’s guidelines will continue to apply to the European operations of UK firms and to the activities undertaken in the European Union by firms that also have a UK presence. However, the PRA considers that the expectations in SS2/21 are at least equivalent to those guidelines in effectiveness and substance and provide additional guidance on key topics covered in those guidelines, such as data security, business continuity, and the application of proportionality to intragroup outsourcing and outsourcing arrangements for third-country branches.